#VU88829 Arguments injection in go-getter - CVE-2024-3817

Cybersecurity Help s.r.o.

Published: 2024-04-19

Vulnerability identifier: #VU88829

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-3817

CWE-ID: CWE-88

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
go-getter
Universal components / Libraries / Libraries used by multiple products

Vendor: HashiCorp

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation of arguments when executing Git to discover remote branches. A remote attacker can execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

go-getter: 1.0.0 - 1.7.3

External links
https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
https://github.com/hashicorp/go-getter/releases/tag/v1.7.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

HashiCorp Nomad update for go-getter library

Arguments injection in HashiCorp go-getter library